ardamax | 5f024533a5a2ae34dd52255157eb1da31519ef8ab852c298e0fc38226d5d4783

Analysis

max time kernel
137s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-10-2024 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

731a72c330851c00eddaaab7485e1ab7_JaffaCakes118.exe
Size

1.5MB
MD5

731a72c330851c00eddaaab7485e1ab7
SHA1

1d915d4b2ff73fd945d7be5015148e8a0a0aa1f4
SHA256

5f024533a5a2ae34dd52255157eb1da31519ef8ab852c298e0fc38226d5d4783
SHA512

a08b34fc881d2574c886b5c676f0bd862649bb846f54f13592ea3258be95b4ad4559903e0fe83d43c77c69ba28f3ae782d776edec60f227362deebe864c7b521
SSDEEP

24576:M/ZwBeJgRh7/tH40tFbeiG7AhHlCGR6dwskBphv7YqokULr8K/GCYYeTY:EM/t7ip6HQGR6d8YqoF/84GCYY

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\TGFEPI\OKJ.exe	family_ardamax

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

731a72c330851c00eddaaab7485e1ab7_JaffaCakes118.exe13.exe8.exenewest keylogger.exe5.exe3.exe6.exe2.exe14.exe12.exe11.exe10.exe9.exe7.exe4.exe1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	731a72c330851c00eddaaab7485e1ab7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	13.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	newest keylogger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	14.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	10.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	1.exe

Executes dropped EXE 16 IoCs

Processes:

14.exe13.exe12.exe11.exe10.exe9.exe8.exe7.exe6.exe5.exe4.exe3.exe2.exe1.exenewest keylogger.exeOKJ.exe

pid	process
2280	14.exe
3600	13.exe
2032	12.exe
232	11.exe
5036	10.exe
4968	9.exe
3396	8.exe
2804	7.exe
1008	6.exe
3080	5.exe
1636	4.exe
3648	3.exe
2220	2.exe
4044	1.exe
2524	newest keylogger.exe
3424	OKJ.exe

Loads dropped DLL 1 IoCs

Processes:

OKJ.exe

pid process

3424 OKJ.exe

pid	process
3424	OKJ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

OKJ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OKJ Start = "C:\\Windows\\SysWOW64\\TGFEPI\\OKJ.exe"	OKJ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

Processes:

newest keylogger.exeOKJ.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TGFEPI\AKV.exe	newest keylogger.exe
File created	C:\Windows\SysWOW64\TGFEPI\OKJ.003	newest keylogger.exe
File created	C:\Windows\SysWOW64\TGFEPI\OKJ.exe	newest keylogger.exe
File opened for modification	C:\Windows\SysWOW64\TGFEPI\	OKJ.exe
File created	C:\Windows\SysWOW64\TGFEPI\OKJ.004	newest keylogger.exe
File created	C:\Windows\SysWOW64\TGFEPI\OKJ.001	newest keylogger.exe
File created	C:\Windows\SysWOW64\TGFEPI\OKJ.002	newest keylogger.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2.exenewest keylogger.exe11.exe7.exe3.exe14.exeOKJ.exe4.exe1.exe13.exe12.exe8.exe6.exe5.exe731a72c330851c00eddaaab7485e1ab7_JaffaCakes118.exe10.exe9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newest keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OKJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	731a72c330851c00eddaaab7485e1ab7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

OKJ.exe

pid process

3424 OKJ.exe
3424 OKJ.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

OKJ.exe

description pid process

Token: 33 3424 OKJ.exe
Token: SeIncBasePriorityPrivilege 3424 OKJ.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

OKJ.exe

pid process

3424 OKJ.exe
3424 OKJ.exe
3424 OKJ.exe
3424 OKJ.exe

pid	process
3424	OKJ.exe
3424	OKJ.exe

description	pid	process
Token: 33	3424	OKJ.exe
Token: SeIncBasePriorityPrivilege	3424	OKJ.exe

pid	process
3424	OKJ.exe
3424	OKJ.exe
3424	OKJ.exe
3424	OKJ.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

731a72c330851c00eddaaab7485e1ab7_JaffaCakes118.exe14.exe13.exe12.exe11.exe10.exe9.exe8.exe7.exe6.exe5.exe4.exe3.exe2.exe1.exenewest keylogger.exe

description	pid	process	target process
PID 3424 wrote to memory of 2280	3424	731a72c330851c00eddaaab7485e1ab7_JaffaCakes118.exe	14.exe
PID 3424 wrote to memory of 2280	3424	731a72c330851c00eddaaab7485e1ab7_JaffaCakes118.exe	14.exe
PID 3424 wrote to memory of 2280	3424	731a72c330851c00eddaaab7485e1ab7_JaffaCakes118.exe	14.exe
PID 2280 wrote to memory of 3600	2280	14.exe	13.exe
PID 2280 wrote to memory of 3600	2280	14.exe	13.exe
PID 2280 wrote to memory of 3600	2280	14.exe	13.exe
PID 3600 wrote to memory of 2032	3600	13.exe	12.exe
PID 3600 wrote to memory of 2032	3600	13.exe	12.exe
PID 3600 wrote to memory of 2032	3600	13.exe	12.exe
PID 2032 wrote to memory of 232	2032	12.exe	11.exe
PID 2032 wrote to memory of 232	2032	12.exe	11.exe
PID 2032 wrote to memory of 232	2032	12.exe	11.exe
PID 232 wrote to memory of 5036	232	11.exe	10.exe
PID 232 wrote to memory of 5036	232	11.exe	10.exe
PID 232 wrote to memory of 5036	232	11.exe	10.exe
PID 5036 wrote to memory of 4968	5036	10.exe	9.exe
PID 5036 wrote to memory of 4968	5036	10.exe	9.exe
PID 5036 wrote to memory of 4968	5036	10.exe	9.exe
PID 4968 wrote to memory of 3396	4968	9.exe	8.exe
PID 4968 wrote to memory of 3396	4968	9.exe	8.exe
PID 4968 wrote to memory of 3396	4968	9.exe	8.exe
PID 3396 wrote to memory of 2804	3396	8.exe	7.exe
PID 3396 wrote to memory of 2804	3396	8.exe	7.exe
PID 3396 wrote to memory of 2804	3396	8.exe	7.exe
PID 2804 wrote to memory of 1008	2804	7.exe	6.exe
PID 2804 wrote to memory of 1008	2804	7.exe	6.exe
PID 2804 wrote to memory of 1008	2804	7.exe	6.exe
PID 1008 wrote to memory of 3080	1008	6.exe	5.exe
PID 1008 wrote to memory of 3080	1008	6.exe	5.exe
PID 1008 wrote to memory of 3080	1008	6.exe	5.exe
PID 3080 wrote to memory of 1636	3080	5.exe	4.exe
PID 3080 wrote to memory of 1636	3080	5.exe	4.exe
PID 3080 wrote to memory of 1636	3080	5.exe	4.exe
PID 1636 wrote to memory of 3648	1636	4.exe	3.exe
PID 1636 wrote to memory of 3648	1636	4.exe	3.exe
PID 1636 wrote to memory of 3648	1636	4.exe	3.exe
PID 3648 wrote to memory of 2220	3648	3.exe	2.exe
PID 3648 wrote to memory of 2220	3648	3.exe	2.exe
PID 3648 wrote to memory of 2220	3648	3.exe	2.exe
PID 2220 wrote to memory of 4044	2220	2.exe	1.exe
PID 2220 wrote to memory of 4044	2220	2.exe	1.exe
PID 2220 wrote to memory of 4044	2220	2.exe	1.exe
PID 4044 wrote to memory of 2524	4044	1.exe	newest keylogger.exe
PID 4044 wrote to memory of 2524	4044	1.exe	newest keylogger.exe
PID 4044 wrote to memory of 2524	4044	1.exe	newest keylogger.exe
PID 2524 wrote to memory of 3424	2524	newest keylogger.exe	OKJ.exe
PID 2524 wrote to memory of 3424	2524	newest keylogger.exe	OKJ.exe
PID 2524 wrote to memory of 3424	2524	newest keylogger.exe	OKJ.exe

C:\Users\Admin\AppData\Local\Temp\731a72c330851c00eddaaab7485e1ab7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\731a72c330851c00eddaaab7485e1ab7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Users\Admin\AppData\Local\Temp\14.exe
  "C:\Users\Admin\AppData\Local\Temp\14.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\13.exe
    "C:\Users\Admin\AppData\Local\Temp\13.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Users\Admin\AppData\Local\Temp\12.exe
      "C:\Users\Admin\AppData\Local\Temp\12.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:232
      - C:\Users\Admin\AppData\Local\Temp\10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\newest keylogger.exe
        
        "C:\Users\Admin\AppData\Local\Temp\newest keylogger.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\TGFEPI\OKJ.exe
        
        "C:\Windows\system32\TGFEPI\OKJ.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
1.2MB

MD5
cc40455e160926dc0c01f71dbb260352

SHA1
fe830ac86773aa9af3f36d1a50f696e63601e33c

SHA256
a782328ae5a4e3782611e873ef7fbbc512ba746c32681b6930b44ed707150e59

SHA512
ceffc8f50b3a57ee0477d33be24dda2fb4bfe644bffc06591424c6bacdff447c6d76d42325b2baa4fa820e1cdfd566c2876f26f889596520955ac7658f6d4c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.exe

Filesize
1.4MB

MD5
3a925270bf9609d45a2b4df97e221057

SHA1
7cffb8b41181bc11f4ba8a004ba46b2a6b0bf915

SHA256
78a99ba1618fcb648b3ea18867e4ec5e00b32a79081252c5bcd3d2894b148519

SHA512
db79b1d573d46a4b50ff39915a766224d37ca9dba886d71e5916300a4ed3329f0ba68606eca211fb131a4826a85a053138adb165bf2b051050886d454e2421a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
1.4MB

MD5
a92f43305031e90ca4f5f4e4934184e5

SHA1
44e3ae161bb6a04939b2f8863abda964a624b474

SHA256
39cc23a60a887c3aef044438ca1e2fc409a6510ab366741f9e6e2a75daa55adf

SHA512
54d63286d90482d8cdb8571f5cd907e8ef08835d9a7e7f030a03aa5d6bc90439436cdd3865cb12ea0f3d129da6bbec97a573eaec348883832496c2dd03cf9220

Download Submit
C:\Users\Admin\AppData\Local\Temp\12.exe

Filesize
1.5MB

MD5
10b57df1591d237e3fcc5015544bfa80

SHA1
746c92af65c434ce4b0376293f026b4e22e54223

SHA256
78e63304544052b6ac499587064da764351d04b1c8a3070e9d28f308e29ff630

SHA512
2f648bd5207d356e278e85525467e552b36f874757fac28a9424140942ce26a8926deb2a8d2d7fb2b4216f0a1a059154893964a9033a6bfa4a3cbb56c691dba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\13.exe

Filesize
1.5MB

MD5
3de6849144e5efbf50d4e0cf121c0948

SHA1
b31182d4f8293e771e5297ba6eadd4a7aa85bf7a

SHA256
eba2065f5758f32da2967c4dcbd1dfe9ceefe98de0ae037e94d1e20deaa4afea

SHA512
81b095fa5c1bd4466064dffcc8a2db75f5d6d5bcbf021d6a407461ae0e416fd0caa452e7c3efdd5b60eac8a53f531aaf553a13509443325db00c149d90933ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\14.exe

Filesize
1.5MB

MD5
b2d3d71c66396b7c29a1df9da1bc3ebe

SHA1
8bf4bf4683af44c6e5e9b0f35b8fd02c1eda5a6e

SHA256
8ad5cf0e0d958123ff47d866d7e6b8a16cc64bccc019e27b8befa5d77139fbcc

SHA512
34f87807720cabf4a74b8609985f637da41e61a65894d9806de5884496b6c79e4d0956d19bf19efecb61da29db93bafdc373d5e079a4479aec9eeb831a8f38a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
1.2MB

MD5
04dab96a3fa1c1112b93a31f6bffac0c

SHA1
3323ca3bd1448f58d3641cb5e70780886cfd8c8b

SHA256
8cea9c48051e74df55bade6ff054838f9c55dfa33586ad98ba400d916a99993d

SHA512
f454f0cc8758f2c5aafb4a51126dd67a4b2317dc5db1437f82695286e8d8971d21ba54190d12904476482f544d48dc9b1e451bd09df8897415513d55834e3074

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
1.3MB

MD5
20ff9d5cd6b4d4c1d680574589fee1e2

SHA1
281496d3e2c0ebeb94400eee933b167f7925964d

SHA256
2be5b493dcab94fb0d0273c3623ea45017b6201242c04a1c20b0685c34a3de70

SHA512
a9fad6cc61181dd491a709ba41bf884137fc6750fe235a183e5f6568c28a1d00b128c68b882119f03f41cedd6dfdfcc211a0a93015d7b4968697555f5ba193b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe

Filesize
1.3MB

MD5
3d46a4eb788ad6eded746a2a40153477

SHA1
c0ad292429f498686471a768da79fd7c43c7c958

SHA256
1ab4e7c557818f92bc633e93829fca87cf3ea82cf22ed60e1542cd86b0677b6e

SHA512
e9fd5c630ae2f580e95305516777561428516bc64bf2e723b8601bb0c1f9f675ffa881f0a9b571f4ef39efc41233fd48f9f02da121d47150c27791a077ce1ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe

Filesize
1.3MB

MD5
484ecf89540746869807f45148a2f2e5

SHA1
407e9242c74cf6d206ced86935ebe3a398ca9a38

SHA256
eb9ded3cea62d3f5f994b3ff1f93c261859d20ccd82e324d269c81b0d43a0f70

SHA512
3de402ca92d265331bc6445e1d8e0c48b29af91fc4a433e7ec5af1c16e081ab9a677aa51dfea2014163f5c3c20afb2e4941cdfadf6772fcfbdb920e96492c062

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe

Filesize
1.3MB

MD5
41c3b7ce9fa12290b6d3e23f6782d86d

SHA1
b389afe59b59d7a15e7ed53f642ac098c1108242

SHA256
fd32899eed87b2da5c2eb071ac673097e4608a54fb0e612f1271efe782365b4f

SHA512
09fc2afdb3ff084ed27557dbe6ed1ef1f034c9065ed609cd00aef738e3acef79cdbfe147253ec9034a5a9ae6c31aa1629cb1c4c99a689332369799afebd96d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe

Filesize
1.4MB

MD5
5ca640fe3769a2f1bfe215671c9845ec

SHA1
d5ed3e19e5989ca70266ba577aa701e6134a175a

SHA256
fda13669ef8d83312943bf5950222329c4bec38724f49a61e67ec452041e4b53

SHA512
ceeea7fa08a6fed9495018dfb4f7adeca138f84ae3397f6f2bd9d01f7133102f44c8725a2fa72f442e566b4f289278fde9c808b09098056396ac8a4296f90d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\8.exe

Filesize
1.4MB

MD5
e850c0929b3ee67fa81ba6e13b2d001d

SHA1
dccec3171a4dab04c0f7e99ece55038c19ffe0dd

SHA256
69a47188c35cab062d0b07c965e7c49613827c42788c4fe89f821735cdae35f3

SHA512
60a62106412dd821dfa97efbab8051578764a44f665b6db463496fd7942289428fd1084c297d5b1bb0f1d24c2828067c80451c478a8a4552620ce7ab06f4b259

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.exe

Filesize
1.4MB

MD5
20e965b046fadf039f7f1234e06bde40

SHA1
353e0b2c7fff94667a1d7ba899a2fee8a7282e6a

SHA256
5c42a1bf9934333991bb3ae3c555fd7fdb5548816e53ce58db19475f7738e04a

SHA512
c06e2cc9924a3f47431eda60544e7a7a7d66d2a48f46e8706e35c420651c216194dd08a2716e116e07ad8cc5a14dd2f49740191ca01a984501106a04e8cfcdcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\newest keylogger.exe

Filesize
1.2MB

MD5
ea810658a49cae0971b9661462bbb898

SHA1
da34317e75faa21a516ecb9221997640e7a76550

SHA256
538c8548fe9788fc8b73a1ae9c4ca272fcec4319aa8146e208307e6bb3bc39f2

SHA512
025ebf146581a842cdf57fe2550f0e8c490152fecb6946ba0a086ce27f684a0b933200a5ad21acc13021104e14dc87a0c631d3a839e8d12137130254f071c08f

Download Submit
C:\Windows\SysWOW64\TGFEPI\AKV.exe

Filesize
490KB

MD5
4a9c593eecd544d364a177b13c2bca08

SHA1
4d45a5bd2ae551e1094eb5b05a1dd771dd5c5a2f

SHA256
f834b097641aeea37281d50353f3b88fd83749ed77a8db0bfc1f28dc1dfeac7e

SHA512
b7d5e5eb03f05763b34b722e7b19d320db3b2bb32b1d367bf79376c56a01d3c06541db6c2518623e9aa1ca6a7880189519aa1d09fe27817eb5aff67c62dfea03

Download Submit
C:\Windows\SysWOW64\TGFEPI\OKJ.001

Filesize
61KB

MD5
1b96913d74f1c4f36c846c0a804a7037

SHA1
8e0dfc0012edb64042b018d470950cd5e415aa5a

SHA256
553b04ef8dd080a1c8c9b285008fbef1134c44fd98ca7cc2d3600b870882e761

SHA512
ed6b01ad0dd6ef9ed24c1e5fd8c7f6f1e68c4c5d5c1d75e770c9cda4cdde09c5eefde6009c864956ff1e1e379d40ee105bf7a1a033bd1ee95c797762d1f06f9f

Download Submit
C:\Windows\SysWOW64\TGFEPI\OKJ.002

Filesize
44KB

MD5
6d836081d32019c0a5928587be5ef42c

SHA1
d51bdc15dca361f17418746bbe0efa3a7dee046c

SHA256
6ca6cab6f131ee5b69d445a64cc269f1489ee8ecaf6dbfdbc400b829490f8c21

SHA512
2cabc9d6e8f017b8f42680018cadea69824bb40ec60c7a534135c66363be1b53e575c6fe39b8861923744f62b5e531492f1d729f12de32e29ff9cf7869d22ade

Download Submit
C:\Windows\SysWOW64\TGFEPI\OKJ.003

Filesize
66KB

MD5
6191060619673145e2c011af83742e15

SHA1
14094b87ad1f9b6f8f90753da80c2f5db96b1196

SHA256
d8e2476c6ca59aee323d83c06c90927a92d49ce71bab19f4a593362f5107d6b9

SHA512
e79f1f63d88195660932f317e74c0405796b7ce60bd057e249f8a255d64562de5459d838bbf4b4adc34225d8a476806ac563b1a1becee4b10a6364cb62825c64

Download Submit
C:\Windows\SysWOW64\TGFEPI\OKJ.004

Filesize
1KB

MD5
643761052608caa23410a8f42a37b833

SHA1
67cd22b7a53b9e29b9288d12c91b67f2d5129f18

SHA256
d6682e11e682427871994497fdd6cc97d45449be668db98baf644555522084ab

SHA512
64c06a8c6c9d68e302080229948780ed73c8252049a7bbcc9fb3f5fd499c0e11ed001c8d38fcdb1013739c36bc2c8804b1e776f22d768f9d43d28f037966c927

Download Submit
C:\Windows\SysWOW64\TGFEPI\OKJ.exe

Filesize
1.7MB

MD5
a2ff5d2b7214bd4c0d5e13223ece568c

SHA1
a710b1d805aba3abd7734c0c07f300d7be95a1af

SHA256
60a09a85e7779af967967925237a5408735ea2ecca9b182e0c1049f4f261b302

SHA512
909a51ab15b6b793087728bf5ddae551dbd7b32ed16929e6db0a23c897f742e2218b270c9d055fd6f261b3a1e1595daffc387511e85643bf35a8c0b6155c18d8

Download Submit